Firewalls for dummies

Hackers. Script kiddies. Disgruntled employees. A lot of people out there may want to invade your system and kick up some trouble. Firewalls can help protect you. But how do you select and set up the right firewall solution? Relax! This friendly guide shows you step by step how to lock out the bad guys.

Table of Contents

Introduction

About This Book

How to Use This Book

What You Don't Need to Read

Foolish Assumptions

How This Book Is Organized

Part I: Introducing Firewall Basics

Part II: Establishing Rules

Part III: Designing Network Configurations

Part IV: Deploying Solutions Using Firewall Products

Part V: The Part of Tens

Icons Used in This Book

Where to Go from Here

Part I: Introducing Firewall Basics

Chapter 1: Why Do You Need a Firewall?

Defining a Firewall

The Value of Your Network

Get Yourself Connected

Modem dial-up connections

ISDN connections

DSL connections

Cable modems

T1 and T3

Wireless broadband

Address types

The need for speed and security

TCP/IP Basics

What Firewalls Do

What Firewalls Look Like

A firewall that fits

Network router

Appliance

Software-only firewalls

All-in-one tools

Rules, Rules, Everywhere Rules

Chapter 2: IP Addressing and Other TCP/IP Basics

How Suite It Is: The TCP/IP Suite of Protocols

Sizing up the competition

Networking for the Cold War: A very short history of TCP/IP

Peeling Away the Protocol Layers

The Numbers Game: Address Basics

URLs: How to Reference Resources

Understanding IP Addresses

1 and 1 is 10

What IP addresses mean

Private IP Addresses

Dissecting Network Traffic: The Anatomy of an IP Packet

Source address

Destination address

Transport layer protocol

Other stuff

The other Internet layer protocol: ICMP

Transport Layer Protocols

Staying connected: UDP and TCP

Ports are not only for sailors

Some ports are well known

Application Layer Protocols

Telnet

FTP

HTTP

SMTP

POP3

DNS

Complex protocols

Future protocols

The Keeper Of The Protocols

Putting It All Together: How a Request Is Processed

Chapter 3: Understanding Firewall Basics

What Firewalls Do (And Where's the Fire, Anyway?)

Basic functions of a firewall

What a firewall cannot do

General Strategy: Allow All or Deny All

Packet Filtering

Filtering on IP data

Stateful packet filtering

Network Address Translation (NAT)

Security aspects of NAT

Consequences of NAT

Application Proxy

Monitoring and Logging

Chapter 4: Understanding Firewall Not-So-Basics

Making Internal Servers Available: Static Address Mapping

Static IP address assignment

Static inbound translation

Filtering Content and More

Detecting Intrusion

Detecting an intrusion in progress

Responding to an intrusion

Reacting to a security incident

Improving Performance by Caching and Load Balancing

Caching Web results

United we stand, dividing the load

Using Encryption to Prevent Modification or Inspection

Encryption and firewalls

Who are you: Authentication protocols

The S in HTTPS

IP and security: IPSec

Virtual Private Networks (VPNs)

Chapter 5: "The Key Is Under the Mat" and Other Common Attacks

Intrusion Attacks: A Stranger in the House

Denial of Service Attacks

When everyone is out to get you: Distributed DoS attacks

How Hackers Get In

The key is under the mat: Insecure passwords

Default configurations

Bugs

Back doors

It's a zoo: Viruses, worms, and Trojan horses

Who are you: Man-in-the-middle attacks

Impersonation

Eavesdropping

Inside jobs

Other techniques

Can a Firewall Really Protect Me?

Are You Scared Yet?

Part II: Establishing Rules

Chapter 6: Developing Policies

Defining an Internet Acceptable Use Policy

Defining a Security Policy

Setting security policy

Identifying other components of the security policy

Chapter 7: Establishing Rules for Simple Protocols

Allowing Web Access

Configuring inbound packet filters

Configuring outbound packet filters

Finding Internet Resources

Providing name resolution to Internet-based clients

Providing Internet name resolution to internal clients

File Copy Protocols

File Transfer Protocol (FTP)

Trivial File Transfer Protocol (TFTP)

Messaging, Chat, and Conferencing

America Online (AOL) Messaging

I Seek You (ICQ)

MSN Messenger

Internet Relay Chat (IRC)

Net Meeting

Thin Client Solutions

Citrix Metaframe

Windows Terminal Services

Other Protocols

Network News Transport Protocol (NNTP)

Telnet

Internet Control Message Protocol (ICMP)

Chapter 8: Designing Advanced Protocol Rules

Rain, Sleet, Snow, and Firewalls: Getting the E-mail Through

Answering the right questions

Allowing access to external mail services

Allowing access to internal mail services

Knock, Knock: Who Goes There

Guarding the gate with Kerberos

Remote Authentication Dial-In User Service (RADIUS)

IPSee Encryption

When does IPSec fail?

Configuring a firewall to pass IPSec data

Let Me In: Tunneling through the Internet

Selecting a Tunneling Protocol

Using PPTP packet filters

Using L2TP/IPSec packet filters

Chapter 9: Configuring "Employees Only" and Other Specific Rules

Limiting Access by Users: Not All Are Chosen

Filtering Forms of Content

Filtering Other Content

Preventing access to known "bad" sites

Implementing Content Rating

Setting the Clock: Filtering on Date/Time

Part III: Designing Network Configurations

Chapter 10: Setting Up Firewalls for SOHO or Personal Use

No-Box Solution: ISP Firewall Service

Single-Box Solution: Dual-Homed Firewall

Screened Host

Bypassing the screened host

Variations on screened host

Deployment Scenarios

Allowing Internal network users to access the Internet

Deploying a Tunnel Solution using PPTP

Deploying a tunnel solution using L2TP

Chapter 11: Creating Demilitarized Zones with a Single Firewall

Looking at the Demilitarized Zone: No-Man's Land

Examining Typical DMZ Configurations

Designing Three-Pronged Firewalls

Pro and cons

Addressing decisions

Deploying a Three-Pronged Firewall

Deploying a tunnel solution using PPTP

Deploying a tunnel solution using L2TP

Deploying a Web server with a SQL back end

Building a Case for Multi-Pronged Firewalls

Deploying all three solutions in a multi-pronged firewall configuration

Chapter 12: Designing Demilitarized Zones with Multiple Firewalls

When Two Firewalls Are Better than One

DMZs with Two Firewalls

Deploying a tunnel solution using PPTP

Deploying a tunnel solution using L2TP

Deploying a Web server with a SQL back end

Allowing private network users to access the Internet

Hybrid Configurations

Alternate Tunneling Solutions

Part IV: Deploying Solutions

Using Firewall Products

Chapter 13: Using Windows as a Firewall

Firewall Functions in Windows

Windows 98 and Windows Me

File and printer sharing

PPTP client

Internet Connection Sharing: NAT for Dummies

Windows NT 4.0

Packet filtering

PPTP server

Windows 2000

Packet filtering

Network Address Translation (NAT)

L2TP and IPSec

Chapter 14: Configuring Personal Firewalls: ZoneAlarm and BlackICE

Home Computers at Risk

Home computers have changed

Hackers have changed

You have changed

Features of Personal Firewalls

Enterprise firewalls versus personal firewalls

How to Be Safe on the Internet

Personal Firewall: ZoneAlarm

ZoneAlarm features

ZoneAlarm user interface

ZoneAlarm installation

ZoneAlarm configuration tasks

Personal Firewall: BlackICE

BlackICE features

BlackICE user interface

BlackICE installation

BlackICE configuration tasks

Chapter 15: Microsoft's Firewall: Internet Security and Acceleration Server

Making Internet Access Faster and More Secure

Looking under the Hood: How ISA Works

Choosing between the Two Editions

Preparing for Installation

Installing ISA Server

Gathering information

Connecting by telephone

Examining the Three Clients

SecureNAT client

Firewall Client

Web proxy client

The best client for you

Following the Rules: The Two Types

Putting the two types together

Creating a protocol rule

Letting the Good Guys In

Publishing a Web server

Publishing non-Web server

Creating Packet Filters

Designing Your Network with ISA Server

A simple network

A network with a three-pronged DMZ

A network with a back-to-back DMZ

Taking the Next Step

Chapter 16: The Champ: Check Point FireWall-1

FireWall-1 Features

Access control

Tracking access: advanced logging, reporting, and alerting

Protection against commonly used attacks

Content security

Intrusion detection

Network Address Translation (NAT)

VPN-1

Performance

FireWall-1 Components

Standalone deployments

Client/Server deployment

FireWall-1 Installation

Installing the FireWall-1 files

Configuring FireWall-1

FireWall-1 Configuration Tasks

Starting the GUI client

Defining a computer object

Defining a firewall object

Defining a network segment

Creating a user account

Creating a group account

Defining a rule base

Installing the security policy

Chapter 17: Choosing a Firewall That Meets Your Needs

How Do You Decide?

What to Compare?

What Are Some of the Choices?

Part V: The Part of Tens

Chapter 18: Ten Tools You Can't Do Without

Sam Spade

SuperScan

FScan

Netstat

TCPView

TDIMon

FPort

Snort

Internet Scanner

Network Monitor

NetCat

Chapter 19: Ten Web Sites to Visit

www.sans.org

www.cert.org

www.microsoft.com/security

www.icsalabs.com

www.infosyssec.org

www.securityfocus.com

www.gocsi.com

www.isaserver.org

www.interhack.net/pubs/fwfaq

www.cerias.purdue.edu/coast

Appendix: Protocol Listings and More IP Protocol Numbers

ICMP Type Numbers

TCP and UDP Port Listing
Appendix